Skip to content
Published on

Password Managers in 2026 — 1Password 8 / Bitwarden / Proton Pass / Dashlane / KeePassXC / iOS Passwords / Android Credential Manager Deep Dive

🇰🇷KO🇺🇸EN🇯🇵JA
Split View필사 모드
Authors

When NIST finalized SP 800-63B-4 in late 2025 — codifying "no forced periodic rotation," "15 characters minimum recommended," and "passkey-first" — password managers stopped being a "nice tool to have" and became indispensable infrastructure. The 2026 market is simultaneously absorbing the LastPass aftershock, the stabilization of 1Password 8's Electron rewrite, Proton Pass's free-tier assault, and the rise of OS-bundled solutions. This post compares 14 of the most important managers honestly.

The 2026 password-manager map — commercial / open-source / free OS-native, three camps

The market in 2026 has cleanly split into three camps.

CampExamplesStrengthWeakness
Commercial SaaS1Password 8, Dashlane, NordPass, RoboForm, LastPassUX, family sharing, supportMonthly fees, vendor lock-in
Open-source / hostableBitwarden, Vaultwarden, KeePassXC, Proton PassTransparency, self-hostingSome rough UX
Free OS-bundlediOS/macOS Passwords, Android Credential Manager, Apple Keychain, Google Password Manager, Firefox PasswordsFree, default integrationWeak cross-platform

What is interesting is how rapidly each camp now invades the others. Apple in iOS 18 carved out a dedicated Passwords app for the first time, weakening the old assumption that "OS-built-in is weaker." Google made Credential Manager the unified API standard in Android 15. Proton Pass attacks Bitwarden's share with "free + E2EE + open source." Meanwhile 1Password tries to stay a step ahead with Watchtower, SSH key management, and developer tooling.

The priority order for choosing in 2026 has also shifted. (1) passkey quality, (2) cross-platform sync stability, (3) E2EE architecture transparency, (4) family/team sharing model, (5) 2FA token storage policy, (6) what happens after an incident — in that order. Price is the last variable, because the cost of losing or leaking your vault dwarfs the lifetime subscription fee of every manager combined.

The LastPass 2022 incident and its aftermath — why trust matters

LastPass was breached twice in 2022, in August and November. The second breach exfiltrated encrypted vault data, URL metadata, and partially cleartext IP and email information from a GoTo (LogMeIn) backup. The vaults were encrypted with the user's master password, but attackers could now mount unlimited offline brute-force attempts. Users with weak masters, or those still on legacy KDF settings (some accounts shipped with only 5,000 PBKDF2 iterations), were effectively exposed.

Three lessons remained by 2026.

  1. Metadata is also a secret. Vault URLs, folder structure, and attachment names were cleartext at LastPass. An attacker learned exactly which exchanges, banks, or corporate SaaS apps a victim used. 1Password, Bitwarden, and Proton Pass all subsequently strengthened metadata encryption.
  2. KDF transparency matters. Users must be able to see and tune their PBKDF2/Argon2 iteration count, memory cost, and parallelism. Bitwarden made Argon2id the default for new signups starting in 2023.
  3. Incident communication has to be genuine. LastPass's post-incident messaging — "you are safe if your master password is strong" — was widely read as deflection, and the trust damage was unrecoverable. LastPass's global market share dropped to single digits by 2026.

LastPass is still operating and the product has materially improved, but because trust is the entire foundation of a security tool, recovery is slow. Almost no security researcher in 2026 recommends LastPass as a new user's first choice.

1Password 8 — the family and business standard

1Password 8 launched as an Electron desktop rewrite that frustrated longtime macOS users (lost native Keychain integration, memory footprint, missing shortcuts). Through 2024–2025 performance stabilized, and by 2026 the app delivers first-class client experiences on macOS Sequoia, Windows 11/12, and Linux (official deb/rpm).

Key differentiators:

  • Secret Key architecture. Beyond the master password, every account has a 128-bit Secret Key generated client-side. The server cannot decrypt the vault from the master-password hash alone, making LastPass-style offline brute-force essentially impossible.
  • Watchtower. Have I Been Pwned integration, weak/reused password detection, soon-to-expire domain warnings, sites without 2FA enabled, and weak-KDF alerts, all in one panel.
  • Travel Mode. Designed for crossing borders. You designate vaults to keep on-device and leave the rest server-only. Toggle it before crossing and your sensitive vaults vanish cleanly from the device.
  • Developer integrations. The 1Password CLI (op), GitHub Actions integration, Kubernetes Operator, SSH agent mode, and direct secret injection for tools like Biome and Wasp are now standard.
  • Passkey. GA for consumers in 2024. Family passkey sharing GA in 2025. Business SSO-bound passkeys widely deployed in 2026.

Pricing: Individual 3.99/month,Families(5members)3.99/month, Families (5 members) 6.99/month, Business $7.99/user/month. A 30-day free trial is available, plus student and open-source maintainer discounts. By 2026, if you want to solve "complex family sharing + Watchtower + developer workflow" in one shot, 1Password is effectively the default choice.

Bitwarden — the open-source champion

Bitwarden is a full-stack open-source password manager: client, server, and mobile apps are all under GPLv3. As of 2026 it is the most self-hosted manager (Vaultwarden included), and even the free tier offers unlimited vault items, unlimited devices, and full sync.

FreePremium ($10/year)Families ($40/year, 6 users)Teams ($4/user/month)Enterprise ($6/user/month)
Vault itemsunlimitedunlimitedunlimitedunlimitedunlimited
Devicesunlimitedunlimitedunlimitedunlimitedunlimited
2FA token storagenoyesyesyesyes
File attachmentsno1GB1GB1GB1GB
Security reportsbasicWatchtower-levelWatchtower-levelyesyes

Major 2026 changes:

  • Passkey support. Client GA in 2024. Since 2025, passkeys live in the vault and sync across all platforms (web, desktop, mobile).
  • Argon2id default. New accounts default to Argon2id. Existing PBKDF2 users can migrate.
  • Self-hosting. Beyond the official Bitwarden server, Vaultwarden (a Rust-written compatible server in a single container) is hugely popular for families and small teams on NAS or VPS.
  • Bitwarden Secrets Manager. Released as a separate product in 2023 — a KV secret store positioned as a lightweight HashiCorp Vault alternative.

Bitwarden's philosophy — "trust is proven through code" — held through 2025 when license-change concerns surfaced; the resolution was a partial adoption of Mozilla Public License 2.0. For users who prioritize open source, self-hosting, or "free first," it is the strongest 2026 recommendation.

Proton Pass — free plus the Proton ecosystem

Proton Pass is the password manager from Swiss-based Proton AG (the team behind ProtonMail, ProtonVPN, ProtonDrive). It launched in 2023 and grew explosively through 2024–2025. In 2026 its free tier is among the most generous in the market.

  • Free plan: Unlimited vault items, unlimited devices, 10 hide-my-email aliases, 2FA token storage, Proton Sentinel monitoring, passkey storage — all free.
  • **Proton Unlimited (12.99/month):BundledwithMail,VPN,Drive,Pass,Calendar.AstandalonePassPlustierexistsat12.99/month):** Bundled with Mail, VPN, Drive, Pass, Calendar. A standalone Pass Plus tier exists at 4.99/month.
  • Alias system. After Proton acquired SimpleLogin in 2022, aliases integrate cleanly with Proton Mail. You can generate a per-site disposable email alias and attach it to a vault item.
  • E2EE. As with the rest of the Proton stack, client-side encryption. Swiss jurisdiction. PGP-compatible key model.

Proton Pass's biggest differentiator is its "privacy full-stack" pitch — mail, VPN, drive, calendar, and passwords from one company, one identity, one bill. The downside is increased Proton ecosystem lock-in, and sync latency in parts of the US and Asia can feel slightly worse than 1Password or Bitwarden.

Dashlane / NordPass / Enpass / RoboForm — the other options

Dashlane

Strong point: bundled VPN. In 2024 Dashlane retired its native desktop apps in favor of web-only access, which annoyed part of the user base, but browser extension quality remained good. Dark-web monitoring and family-sharing UX are smooth. Premium is $4.99/month, slightly above average.

NordPass

The password manager from Nord Security (NordVPN, NordLayer). XChaCha20 is the marketing differentiator, but the practical security impact is minor. The Nord ecosystem bundle pricing is attractive, but as a standalone choice the case is weak.

Enpass

A local-first manager. You put the vault file on iCloud, Dropbox, OneDrive, or WebDAV yourself. A one-time lifetime license is available, which appeals to users tired of subscriptions. Weaker on family sharing, and passkey support only reached "general user" quality in 2025.

RoboForm

A long-time veteran. Still around in 2026, but the UI shows its age. Form auto-fill is, by some accounts, still the industry's best — so users with frequent tax filings, brokerage forms, and bookings may find it surprisingly useful. Not actively recommended for new users in 2026.

KeePassXC — the local-only classic

KeePassXC began as a KeePassX fork and is now the de-facto official desktop client of the KeePass ecosystem. As of 2026 it ships first-class native apps on macOS, Windows, and Linux.

Highlights:

  • A single .kdbx file. Your entire vault is one encrypted file. Sync it via iCloud, Dropbox, Syncthing, Git annex, USB, whatever you want.
  • No server. Zero vendor lock-in. Even if the project disappeared, any KeePass-compatible client can read .kdbx forever.
  • YubiKey HMAC-SHA1 challenge-response. Combine master password + YubiKey to enforce 2FA at unlock.
  • Browser integration. KeePassXC-Browser extension plus native messaging.
  • Mobile. No official mobile app. iOS users pick Strongbox or KeePassium; Android users pick KeePassDX.

The weak spots are mobile experience and family sharing. Running a family vault means everyone in the family learns KeePass and agrees on sync. Conversely, for "my data must live only on my devices" users, KeePassXC remains the clear best choice in 2026.

iOS Passwords (iOS 18) + macOS Sequoia — Apple's free heavyweight

In iOS 18 (autumn 2024), Apple finally extracted Keychain's password features into a standalone "Passwords" app. The same app ships in macOS Sequoia, iPadOS 18, and visionOS 2. By 2026 it is arguably the best-integrated free password manager.

  • iCloud Keychain backend. E2EE. Even if you lose every device, recovery is possible via iCloud Recovery Key plus contacts plus Apple ID password.
  • First-class passkey support. Passkeys created on any Apple device sync to all the others automatically.
  • Sharing groups. You can put only the items you want to share with family into a separate vault.
  • 2FA tokens. TOTP seeds live alongside vault items and autofill in one tap.
  • Security recommendations. Leaked passwords, weak passwords, and reuse are surfaced automatically.
  • Windows integration. An iCloud Passwords Windows app, plus Chrome and Edge extensions.

Downsides: (1) the Android experience is weak — iCloud for Windows + browser works, but mobile is essentially unusable — and (2) if not everyone in the family is on Apple, the shared vault loses meaning. For a fully-Apple household in 2026, there is no real reason to pay for 1Password.

Android Credential Manager + Google Password Manager

Introduced in Android 14 and broadly adopted in Android 15, Credential Manager unifies passwords, passkeys, and federated identity (Sign in with Google) behind a single API. For developers, autofill and passkey auth are now one flow.

Google Password Manager is the default backend. 2026 changes:

  • On-device encryption. With a sync passphrase enabled (per user), the vault decrypts only on the device. Even Google cannot read it.
  • Cross-OS sync. Via Chrome, syncs to Windows, macOS, Linux, ChromeOS.
  • Passkey. First-class on Android, Chrome, ChromeOS. External security keys (Yubikey) work through standard flows including PRF.
  • Family-group sharing. Linked to Google Family groups, certain items can be shared with family.

Downsides: (1) OS integration is not quite as seamless as Apple's — autofill behaves slightly differently per app — and (2) on iOS, Chrome autofill works but first-class OS integration does not.

Mozilla Firefox Passwords — the browser-bundled option

Firefox Lockwise was discontinued, but its features were absorbed into Firefox proper and Firefox Sync. As of 2026, passwords stored in Firefox sync via your Mozilla account, and some items show Have I Been Pwned-based leak warnings.

CapabilityStatus
Cross-device syncMozilla account + Firefox Sync
PasskeyGenerally available since Firefox 121, stabilized by 2026
2FA tokensNot supported (use a separate authenticator)
Family sharingNot supported
Autofill (mobile)Works in iOS and Android Firefox apps

A reasonable choice for Firefox-only users who want a free solution. If you also use Chrome or Safari, the value of the sync drops.

2FA tokens / passkeys / Yubikey integration

The two big topics for password managers in 2026 are (1) should TOTP seeds live in the vault, and (2) where do passkeys live.

Trade-off of storing TOTP seeds in the vault

The advantage is autofill collapses to a single step — the manager fills both the password and the OTP at once. The disadvantage is that a vault compromise leaks password and 2FA together — the essence of 2FA as "a separate factor" disappears.

A reasonable middle ground:

  • Ordinary sites (shopping, communities): TOTP in vault is fine.
  • Financial, mail, cloud consoles, the vault itself: use a separate authenticator app (Aegis, Raivo, Ente Auth, 1Password's external mode, or a Yubikey).
  • The master for the vault itself: must be protected by a hardware key (Yubikey, Solokey).

Where to store passkeys

In 2026 the main options are:

  • Apple Keychain / Google Password Manager. OS-sync based. Smoothest, but OS lock-in.
  • 1Password / Bitwarden / Proton Pass. Cross-OS sync. WebAuthn PRF extension widely supported.
  • Yubikey, Solokey, Nitrokey. Device-bound, non-sync passkeys. A backup key is mandatory.

In enterprise settings, policies increasingly distinguish "vault-synced passkeys" from "device-bound passkeys." Admin and HSM access goes device-bound; everyday SaaS uses vault-synced.

Yubikey/Solokey and the vault

The Yubikey 5 series, Yubikey Bio, and Yubikey 5C NFC work as 2FA across essentially every manager in 2026. The trick is to separate "the key that unlocks the vault" from "the key for site login," and to own at least two of each. Losing a key should be a recoverable event, not a fatal one.

Enterprise vaults — BeyondTrust / CyberArk / Delinea / Akeyless

Apart from consumer managers, enterprises split "human passwords" from "machine credentials" via PAM (Privileged Access Management). The main 2026 vendors:

  • CyberArk. The de-facto PAM standard. Modular: Vault, PSM (session manager), CPM (automatic rotation), AAM (app-to-app), Conjur (cloud-native secrets). Dominant in finance and government.
  • BeyondTrust. Password Safe (traditional vault), Privilege Management (endpoint privilege control), Remote Support — all integrated. Strong on the remote-support workflow after the Bomgar acquisition.
  • Delinea (formerly Thycotic + Centrify). Secret Server is the core vault. Lighter and faster to deploy than CyberArk. Popular with mid-market firms.
  • Akeyless. Cloud-native, vaultless architecture. DFC (Distributed Fragments Cryptography) splits keys into fragments. Fits SaaS-first environments.

These are not the same category as 1Password or Bitwarden. Users rarely memorize or type passwords directly; the system grants temporary access, records sessions, and handles automatic rotation. For developers, the standard workflow is now GitHub Actions, Jenkins, and Kubernetes pulling short-lived tokens via OIDC trust. The era of static secrets sitting in vaults is ending fast.

How E2EE architectures differ — Bitwarden vs 1Password vs Proton

All three claim "end-to-end encryption," but the implementations differ.

Bitwarden

Master password → PBKDF2-SHA256 (or Argon2id) → master key → unlocks the vault symmetric key → decrypts the vault. The server never knows the vault symmetric key. New accounts default to Argon2id (64MB memory, 3 iterations, parallelism 4). The user can tune KDF parameters.

1Password

Master password + Secret Key (random 128-bit, client-issued) → SRP-6a authentication → two-key derivation. The server cannot decrypt the vault from the master-password hash alone. Registering a new device requires entering the Secret Key as well. This is why 1Password aggressively pushes the Emergency Kit (recommended to print as PDF).

Proton Pass

PGP-based key model plus ECC, the same as the rest of the Proton ecosystem. The user password derives a key that unlocks a PGP private key. The PGP key unlocks per-vault-item keys, which in turn decrypt the actual data — three layers.

All three guarantee that "if the server is breached the vault is not exposed in cleartext." The differences are (1) device-registration friction (1Password is the most conservative, hence the most awkward), (2) recovery options (1Password family recovery; Bitwarden Emergency Access; Proton recovery code + phone), and (3) scope of metadata encryption (by 2026 all three have strengthened in this direction).

Korea and Japan — Naver Whale Passwords, Kakao Key, 1Password JP

Korea

  • Naver Start Password (시작 패스워드). Naver-account-based manager, integrated into the Naver app and Whale browser. Free. Weak cross-platform support; macOS desktop story is thin.
  • Kakao Key. Kakao-Talk-authentication-based passkey and 2FA hub. Less a general vault, more an authentication hub inside the Kakao ecosystem.
  • Joint Certificate (formerly Official Accredited Certificate). Abolished as a monopoly in 2020 but persisting. Major banks moved to their own certificates or "simple authentication," but some government sites still demand it. Not something a password manager can fully cover.
  • The seven simple-auth services (KB, PASS, Kakao, Naver, Toss, Payco, Shinhan). In effect a Korean-style passkey. But it is a separate ecosystem from the global passkey standard, so there is no direct integration with 1Password or Bitwarden.

Practical recommendation: global SaaS via 1Password or Bitwarden, Korean finance and government via simple-auth or Joint Certificate. You must accept that these two ecosystems do not mix.

Japan

  • 1Password JP. The most popular paid manager in Japan. Japanese UX, yen billing, Japanese corporate invoicing.
  • Trend Micro Password Manager. Mostly used by customers already on Trend Micro antivirus. Not recommended as a standalone choice, but common in companies that bought Trend Micro at scale.
  • NEC, Fujitsu, and other SI integrated solutions. Large-enterprise SI shops often run Active Directory + an in-house vault + smart-card auth. CyberArk-class global PAM may run in parallel.
  • OTP cards, IC cards, one-time-password cards. Japan's banking-sector OTP cards and IC-card auth fall outside the scope of a password manager.

Japan is more friendly to global managers than Korea, but enterprise environments lean heavily on SI and vendor lock-in. Among personal users, 1Password JP is the de-facto leader and Bitwarden is closing fast.

Who should pick what — individual / family / business / paranoid

Finally, a recommendation by persona.

1) Individual — free-first

  • All-Apple users: iOS Passwords + iCloud Keychain. Smoothest, cost zero.
  • All-Android / Chrome users: Google Password Manager + Credential Manager. Cost zero.
  • Cross-platform + open-source: Proton Pass Free or Bitwarden Free.
  • Local-only / air-gapped: KeePassXC + Syncthing or USB.

2) Family (3–6 people)

  • All-Apple: iOS Passwords sharing groups.
  • Mixed OS: 1Password Families ($6.99/month, 6 members). Best UX, recovery, family sharing.
  • Cost-first: Bitwarden Families ($40/year, 6 members).
  • Privacy-first: Proton Unlimited family plan.

3) Business (startup to mid-market)

  • Standard: 1Password Business or Bitwarden Teams/Enterprise.
  • Open-source self-hosting: Vaultwarden + SSO (Authentik or Keycloak).
  • DevOps secrets separation: HashiCorp Vault, Doppler, Infisical, Bitwarden Secrets Manager.
  • PAM required: CyberArk, BeyondTrust, Delinea, or Akeyless — pick based on regulation and scale.

4) Paranoid (high-threat individuals — journalists, activists, senior engineers)

  • KeePassXC + Yubikey 5 (two or more) + Syncthing.
  • A separate authenticator app (Aegis, Ente Auth).
  • Vault moves via USB only, never via cloud.
  • Master is 24+ characters of diceware plus a memorized sentinel.
  • Passkeys are device-bound first (the Yubikey itself).

The core recommendation is that no single solution fits everyone. Define your threat model, family composition, device mix, and work environment first, and only then choose a manager. Above all — make the master long, print the recovery kit on paper and store it safely, and keep at least two passkey backup keys. Forgetting your recovery procedure causes a far bigger incident than picking the "wrong" manager.

References

Discuss on TwitterView on GitHub